Cisco IOS, Multiple WAN & Port Forwards (Outside -> Inside PAT) Announcing the arrival...
Nose gear failure in single prop aircraft: belly landing or nose-gear up landing?
Trying to understand entropy as a novice in thermodynamics
What does it mean that physics no longer uses mechanical models to describe phenomena?
What would you call this weird metallic apparatus that allows you to lift people?
I can't produce songs
Did Mueller's report provide an evidentiary basis for the claim of Russian govt election interference via social media?
How do living politicians protect their readily obtainable signatures from misuse?
What adaptations would allow standard fantasy dwarves to survive in the desert?
Resize vertical bars (absolute-value symbols)
Did any compiler fully use 80-bit floating point?
Where is the Next Backup Size entry on iOS 12?
Is there hard evidence that the grant peer review system performs significantly better than random?
Why is std::move not [[nodiscard]] in C++20?
Why are vacuum tubes still used in amateur radios?
My mentor says to set image to Fine instead of RAW — how is this different from JPG?
The Nth Gryphon Number
What is the chair depicted in Cesare Maccari's 1889 painting "Cicerone denuncia Catilina"?
How does light 'choose' between wave and particle behaviour?
Differences to CCompactSize and CVarInt
Why do early math courses focus on the cross sections of a cone and not on other 3D objects?
Special flights
Is multiple magic items in one inherently imbalanced?
Sally's older brother
Co-worker has annoying ringtone
Cisco IOS, Multiple WAN & Port Forwards (Outside -> Inside PAT)
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Cisco ios configCisco IOS: Segregating VLANSCisco IOS: One SSID doesn't pull from the correct DHCP poolCisco PIX 8.0.4, static address mapping not working?Issue forwarding port through Cisco 881 routerNAT translation with Cisco ASA 5505Allowing incoming VPN connections through a Cisco 2921 to a DD-WRT DeviceIOS Port Forwarding and NAT involving a VPNCisco IOS Router and Azure VPN - tunnel established, but traffic is not flowingCisco 887VA - Cannot open port 110
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I have been trying to work out how to accomplish PATing from Outside to Inside on a Cisco IOS router, in this case specifically a Cisco 2901 running IOS Version 15.1(4)M1.
Firstly, the problem I am trying to solve is that we'd like external port forwards to work regardless of which connection is the default gateway.
On this particular router we have two WAN connections. One is on the built in Gig0/0 interface and the other by an EHWIC card exposing Gig0/0/0.
An example port forward rule in this device:ip nat inside source static tcp 192.168.1.10 3389 x.x.x.x 3389 extendable
Where x.x.x.x is the IP address of interface Gig0/0/0.
This works fine if Gig0/0/0 is the default gateway for the router, however if Gig0/0 is the default gateway the port forward breaks.
It's also worth noting that the Gig0/1 interface is the default gateway for all LAN computers and servers, and is designated ip nat inside where Gig0/0 and Gig0/0/0 are both ip nat outside.
I am performing my standard Inside to Outside PAT by using route-map items which matches my NAT ACL with the interface.
I know I can mess around with ip nat outside and NAT pools, but is there a cleaner way I can achieve what I want? Even if I'm going about it the complete wrong way and NAT/PAT isn't the solution to my problem, pointing me in the right direction would be a major help!
The only reason why I think this is my best bet is the fact that every firewall device I've used has functionality in its policies to perform source NAT translation to the IP address of the egress interface, and it is so simple to turn on!
Edit: Watered down config
interface GigabitEthernet0/0
description ----WAN_INTERFACE_PRI----
mtu 1596
ip address x.x.x.x 255.255.255.248
ip access-group SECURE-IN in
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
service-policy output EthernetAccessService
!
interface GigabitEthernet0/1
description ----INTERNAL----
ip address 192.168.1.1 255.255.255.0
ip access-group OUT-FILTER in
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description ----WAN_INTERFACE_BACK----
ip address y.y.y.y 255.255.254.0
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 192.168.1.10 3389 interface GigabitEthernet0/0/0 3389
ip nat inside source route-map BACK_WAN interface GigabitEthernet0/0/0 overload no-payload
ip nat inside source route-map PRI_WAN interface GigabitEthernet0/0 overload no-payload
! <Many port forwards cut>
ip route 0.0.0.0 0.0.0.0 (x.x.x.x Gateway) permanent
ip route 0.0.0.0 0.0.0.0 (y.y.y.y Gateway) 10 permanent
!
ip access-list extended NAT-ACL
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended OUT-FILTER
permit icmp any any
permit ip object-group Unrestricted-Access-Group any
deny ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended SECURE-IN
permit ip host <allowed telnet/ssh addresses> any
deny tcp any any eq telnet log
deny tcp any any eq 22 log
permit ip any any
!
no cdp run
!
!
!
route-map PRI_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0
!
route-map BACK_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0/0
cisco nat ios
asked Apr 20 '15 at 12:56
AntixAntix
1581418
bumped to the homepage by Community♦ 15 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I have been trying to work out how to accomplish PATing from Outside to Inside on a Cisco IOS router, in this case specifically a Cisco 2901 running IOS Version 15.1(4)M1.
Firstly, the problem I am trying to solve is that we'd like external port forwards to work regardless of which connection is the default gateway.
On this particular router we have two WAN connections. One is on the built in Gig0/0 interface and the other by an EHWIC card exposing Gig0/0/0.
An example port forward rule in this device:ip nat inside source static tcp 192.168.1.10 3389 x.x.x.x 3389 extendable
Where x.x.x.x is the IP address of interface Gig0/0/0.
This works fine if Gig0/0/0 is the default gateway for the router, however if Gig0/0 is the default gateway the port forward breaks.
It's also worth noting that the Gig0/1 interface is the default gateway for all LAN computers and servers, and is designated ip nat inside where Gig0/0 and Gig0/0/0 are both ip nat outside.
I am performing my standard Inside to Outside PAT by using route-map items which matches my NAT ACL with the interface.
I know I can mess around with ip nat outside and NAT pools, but is there a cleaner way I can achieve what I want? Even if I'm going about it the complete wrong way and NAT/PAT isn't the solution to my problem, pointing me in the right direction would be a major help!
The only reason why I think this is my best bet is the fact that every firewall device I've used has functionality in its policies to perform source NAT translation to the IP address of the egress interface, and it is so simple to turn on!
Edit: Watered down config
interface GigabitEthernet0/0
description ----WAN_INTERFACE_PRI----
mtu 1596
ip address x.x.x.x 255.255.255.248
ip access-group SECURE-IN in
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
service-policy output EthernetAccessService
!
interface GigabitEthernet0/1
description ----INTERNAL----
ip address 192.168.1.1 255.255.255.0
ip access-group OUT-FILTER in
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description ----WAN_INTERFACE_BACK----
ip address y.y.y.y 255.255.254.0
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 192.168.1.10 3389 interface GigabitEthernet0/0/0 3389
ip nat inside source route-map BACK_WAN interface GigabitEthernet0/0/0 overload no-payload
ip nat inside source route-map PRI_WAN interface GigabitEthernet0/0 overload no-payload
! <Many port forwards cut>
ip route 0.0.0.0 0.0.0.0 (x.x.x.x Gateway) permanent
ip route 0.0.0.0 0.0.0.0 (y.y.y.y Gateway) 10 permanent
!
ip access-list extended NAT-ACL
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended OUT-FILTER
permit icmp any any
permit ip object-group Unrestricted-Access-Group any
deny ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended SECURE-IN
permit ip host <allowed telnet/ssh addresses> any
deny tcp any any eq telnet log
deny tcp any any eq 22 log
permit ip any any
!
no cdp run
!
!
!
route-map PRI_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0
!
route-map BACK_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0/0
cisco nat ios
asked Apr 20 '15 at 12:56
AntixAntix
1581418
bumped to the homepage by Community♦ 15 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I have been trying to work out how to accomplish PATing from Outside to Inside on a Cisco IOS router, in this case specifically a Cisco 2901 running IOS Version 15.1(4)M1.
Firstly, the problem I am trying to solve is that we'd like external port forwards to work regardless of which connection is the default gateway.
On this particular router we have two WAN connections. One is on the built in Gig0/0 interface and the other by an EHWIC card exposing Gig0/0/0.
An example port forward rule in this device:ip nat inside source static tcp 192.168.1.10 3389 x.x.x.x 3389 extendable
Where x.x.x.x is the IP address of interface Gig0/0/0.
This works fine if Gig0/0/0 is the default gateway for the router, however if Gig0/0 is the default gateway the port forward breaks.
It's also worth noting that the Gig0/1 interface is the default gateway for all LAN computers and servers, and is designated ip nat inside where Gig0/0 and Gig0/0/0 are both ip nat outside.
I am performing my standard Inside to Outside PAT by using route-map items which matches my NAT ACL with the interface.
I know I can mess around with ip nat outside and NAT pools, but is there a cleaner way I can achieve what I want? Even if I'm going about it the complete wrong way and NAT/PAT isn't the solution to my problem, pointing me in the right direction would be a major help!
The only reason why I think this is my best bet is the fact that every firewall device I've used has functionality in its policies to perform source NAT translation to the IP address of the egress interface, and it is so simple to turn on!
Edit: Watered down config
interface GigabitEthernet0/0
description ----WAN_INTERFACE_PRI----
mtu 1596
ip address x.x.x.x 255.255.255.248
ip access-group SECURE-IN in
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
service-policy output EthernetAccessService
!
interface GigabitEthernet0/1
description ----INTERNAL----
ip address 192.168.1.1 255.255.255.0
ip access-group OUT-FILTER in
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description ----WAN_INTERFACE_BACK----
ip address y.y.y.y 255.255.254.0
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 192.168.1.10 3389 interface GigabitEthernet0/0/0 3389
ip nat inside source route-map BACK_WAN interface GigabitEthernet0/0/0 overload no-payload
ip nat inside source route-map PRI_WAN interface GigabitEthernet0/0 overload no-payload
! <Many port forwards cut>
ip route 0.0.0.0 0.0.0.0 (x.x.x.x Gateway) permanent
ip route 0.0.0.0 0.0.0.0 (y.y.y.y Gateway) 10 permanent
!
ip access-list extended NAT-ACL
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended OUT-FILTER
permit icmp any any
permit ip object-group Unrestricted-Access-Group any
deny ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended SECURE-IN
permit ip host <allowed telnet/ssh addresses> any
deny tcp any any eq telnet log
deny tcp any any eq 22 log
permit ip any any
!
no cdp run
!
!
!
route-map PRI_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0
!
route-map BACK_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0/0
cisco nat ios
asked Apr 20 '15 at 12:56
AntixAntix
1581418
I have been trying to work out how to accomplish PATing from Outside to Inside on a Cisco IOS router, in this case specifically a Cisco 2901 running IOS Version 15.1(4)M1.
Firstly, the problem I am trying to solve is that we'd like external port forwards to work regardless of which connection is the default gateway.
On this particular router we have two WAN connections. One is on the built in Gig0/0 interface and the other by an EHWIC card exposing Gig0/0/0.
An example port forward rule in this device:ip nat inside source static tcp 192.168.1.10 3389 x.x.x.x 3389 extendable
Where x.x.x.x is the IP address of interface Gig0/0/0.
This works fine if Gig0/0/0 is the default gateway for the router, however if Gig0/0 is the default gateway the port forward breaks.
It's also worth noting that the Gig0/1 interface is the default gateway for all LAN computers and servers, and is designated ip nat inside where Gig0/0 and Gig0/0/0 are both ip nat outside.
I am performing my standard Inside to Outside PAT by using route-map items which matches my NAT ACL with the interface.
I know I can mess around with ip nat outside and NAT pools, but is there a cleaner way I can achieve what I want? Even if I'm going about it the complete wrong way and NAT/PAT isn't the solution to my problem, pointing me in the right direction would be a major help!
The only reason why I think this is my best bet is the fact that every firewall device I've used has functionality in its policies to perform source NAT translation to the IP address of the egress interface, and it is so simple to turn on!
Edit: Watered down config
interface GigabitEthernet0/0
description ----WAN_INTERFACE_PRI----
mtu 1596
ip address x.x.x.x 255.255.255.248
ip access-group SECURE-IN in
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
service-policy output EthernetAccessService
!
interface GigabitEthernet0/1
description ----INTERNAL----
ip address 192.168.1.1 255.255.255.0
ip access-group OUT-FILTER in
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description ----WAN_INTERFACE_BACK----
ip address y.y.y.y 255.255.254.0
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 192.168.1.10 3389 interface GigabitEthernet0/0/0 3389
ip nat inside source route-map BACK_WAN interface GigabitEthernet0/0/0 overload no-payload
ip nat inside source route-map PRI_WAN interface GigabitEthernet0/0 overload no-payload
! <Many port forwards cut>
ip route 0.0.0.0 0.0.0.0 (x.x.x.x Gateway) permanent
ip route 0.0.0.0 0.0.0.0 (y.y.y.y Gateway) 10 permanent
!
ip access-list extended NAT-ACL
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended OUT-FILTER
permit icmp any any
permit ip object-group Unrestricted-Access-Group any
deny ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended SECURE-IN
permit ip host <allowed telnet/ssh addresses> any
deny tcp any any eq telnet log
deny tcp any any eq 22 log
permit ip any any
!
no cdp run
!
!
!
route-map PRI_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0
!
route-map BACK_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0/0
cisco nat ios
cisco nat ios
asked Apr 20 '15 at 12:56
AntixAntix
1581418
asked Apr 20 '15 at 12:56
AntixAntix
1581418
edited Apr 20 '15 at 23:44
Antix
asked Apr 20 '15 at 12:56
AntixAntix
1581418
asked Apr 20 '15 at 12:56
AntixAntix
1581418
asked Apr 20 '15 at 12:56
AntixAntix
1581418
1581418
bumped to the homepage by Community♦ 15 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 15 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
From what I understand, you have two internet connections on the router - I assume for redundancy.
Can I assume that if Gi0/0/0 goes down, then Gi0/0 takes over your internet connection?
If that is the case, then the reason the PAT translation stops working is because the public IP address that is used by Gi0/0/0 for port 3389 is no longer available
Can you not just add a second line:
ip nat inside source static tcp 192.168.1.10 3389 y.y.y.y 3389 extendable
Where y.y.y.y is the IP address of your Gi0/0 interface.
If I've misunderstood, please describe the configuration in more detail, or better yet, post your config.
answered Apr 20 '15 at 13:10
ChadH360ChadH360
38413
That's correct, two internet connections for redundancy except our Gi0/0 is primary - so in the normal operating case where both connections are physically up, and the default gateway is the Primary Gi0/0, we cannot come in through the Backup Gi0/0/0 using the 3389 port forward. Doing a wireshark actually shows the packets hitting the destination server but what happens after that I'm guessing the router is sending return traffic out the default route instead of the WAN of the source of the traffic (which should be Gi0/0/0). Hope that clears it up a bit
– Antix
Apr 20 '15 at 13:18
Thanks. Can you clarify a bit further. Are both of these interfaces up at the same time, or does the backup kick in in the event of the primary failing. Do the two connections have different public IP addresses or is there a shared address space? Can you post a cleansed version of your config.
– ChadH360
Apr 20 '15 at 22:15
Not a problem, yes both interfaces are up at the same time and both have different public IP addresses. I have updated my question to include a shortened config. Also last night I confirmed that return traffic was indeed exiting the router out of Gig0/0 rather than Gig0/0/0, when I attempted to RDP to y.y.y.y:3389
– Antix
Apr 20 '15 at 23:46
Thanks for the additional info. This should be do-able with a route map. I can look into this for you tomorrow, but just don't have the time right now. However, one quick, dirty fix would be to assign a second internal IP address to the machine you are RDPing to, and then adjust your PAT for one of the interfaces to point to that address instead. That should cure your route issue. Like I say, a route map should do it, and that would be the preferred solution.
– ChadH360
Apr 21 '15 at 0:03
I've just taken another look at your config, and you are missing the 'extendable' keyword at the end of the static PAT entry. Extendable is required when using duplicate local or global addresses. With that correction, my original answer should then work.
– ChadH360
Apr 21 '15 at 7:27
|
show 1 more comment
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f684032%2fcisco-ios-multiple-wan-port-forwards-outside-inside-pat%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
From what I understand, you have two internet connections on the router - I assume for redundancy.
Can I assume that if Gi0/0/0 goes down, then Gi0/0 takes over your internet connection?
If that is the case, then the reason the PAT translation stops working is because the public IP address that is used by Gi0/0/0 for port 3389 is no longer available
Can you not just add a second line:
ip nat inside source static tcp 192.168.1.10 3389 y.y.y.y 3389 extendable
Where y.y.y.y is the IP address of your Gi0/0 interface.
If I've misunderstood, please describe the configuration in more detail, or better yet, post your config.
answered Apr 20 '15 at 13:10
ChadH360ChadH360
38413
That's correct, two internet connections for redundancy except our Gi0/0 is primary - so in the normal operating case where both connections are physically up, and the default gateway is the Primary Gi0/0, we cannot come in through the Backup Gi0/0/0 using the 3389 port forward. Doing a wireshark actually shows the packets hitting the destination server but what happens after that I'm guessing the router is sending return traffic out the default route instead of the WAN of the source of the traffic (which should be Gi0/0/0). Hope that clears it up a bit
– Antix
Apr 20 '15 at 13:18
Thanks. Can you clarify a bit further. Are both of these interfaces up at the same time, or does the backup kick in in the event of the primary failing. Do the two connections have different public IP addresses or is there a shared address space? Can you post a cleansed version of your config.
– ChadH360
Apr 20 '15 at 22:15
Not a problem, yes both interfaces are up at the same time and both have different public IP addresses. I have updated my question to include a shortened config. Also last night I confirmed that return traffic was indeed exiting the router out of Gig0/0 rather than Gig0/0/0, when I attempted to RDP to y.y.y.y:3389
– Antix
Apr 20 '15 at 23:46
Thanks for the additional info. This should be do-able with a route map. I can look into this for you tomorrow, but just don't have the time right now. However, one quick, dirty fix would be to assign a second internal IP address to the machine you are RDPing to, and then adjust your PAT for one of the interfaces to point to that address instead. That should cure your route issue. Like I say, a route map should do it, and that would be the preferred solution.
– ChadH360
Apr 21 '15 at 0:03
I've just taken another look at your config, and you are missing the 'extendable' keyword at the end of the static PAT entry. Extendable is required when using duplicate local or global addresses. With that correction, my original answer should then work.
– ChadH360
Apr 21 '15 at 7:27
|
show 1 more comment
From what I understand, you have two internet connections on the router - I assume for redundancy.
Can I assume that if Gi0/0/0 goes down, then Gi0/0 takes over your internet connection?
If that is the case, then the reason the PAT translation stops working is because the public IP address that is used by Gi0/0/0 for port 3389 is no longer available
Can you not just add a second line:
ip nat inside source static tcp 192.168.1.10 3389 y.y.y.y 3389 extendable
Where y.y.y.y is the IP address of your Gi0/0 interface.
If I've misunderstood, please describe the configuration in more detail, or better yet, post your config.
answered Apr 20 '15 at 13:10
ChadH360ChadH360
38413
That's correct, two internet connections for redundancy except our Gi0/0 is primary - so in the normal operating case where both connections are physically up, and the default gateway is the Primary Gi0/0, we cannot come in through the Backup Gi0/0/0 using the 3389 port forward. Doing a wireshark actually shows the packets hitting the destination server but what happens after that I'm guessing the router is sending return traffic out the default route instead of the WAN of the source of the traffic (which should be Gi0/0/0). Hope that clears it up a bit
– Antix
Apr 20 '15 at 13:18
Thanks. Can you clarify a bit further. Are both of these interfaces up at the same time, or does the backup kick in in the event of the primary failing. Do the two connections have different public IP addresses or is there a shared address space? Can you post a cleansed version of your config.
– ChadH360
Apr 20 '15 at 22:15
Not a problem, yes both interfaces are up at the same time and both have different public IP addresses. I have updated my question to include a shortened config. Also last night I confirmed that return traffic was indeed exiting the router out of Gig0/0 rather than Gig0/0/0, when I attempted to RDP to y.y.y.y:3389
– Antix
Apr 20 '15 at 23:46
Thanks for the additional info. This should be do-able with a route map. I can look into this for you tomorrow, but just don't have the time right now. However, one quick, dirty fix would be to assign a second internal IP address to the machine you are RDPing to, and then adjust your PAT for one of the interfaces to point to that address instead. That should cure your route issue. Like I say, a route map should do it, and that would be the preferred solution.
– ChadH360
Apr 21 '15 at 0:03
I've just taken another look at your config, and you are missing the 'extendable' keyword at the end of the static PAT entry. Extendable is required when using duplicate local or global addresses. With that correction, my original answer should then work.
– ChadH360
Apr 21 '15 at 7:27
|
show 1 more comment
From what I understand, you have two internet connections on the router - I assume for redundancy.
Can I assume that if Gi0/0/0 goes down, then Gi0/0 takes over your internet connection?
If that is the case, then the reason the PAT translation stops working is because the public IP address that is used by Gi0/0/0 for port 3389 is no longer available
Can you not just add a second line:
ip nat inside source static tcp 192.168.1.10 3389 y.y.y.y 3389 extendable
Where y.y.y.y is the IP address of your Gi0/0 interface.
If I've misunderstood, please describe the configuration in more detail, or better yet, post your config.
answered Apr 20 '15 at 13:10
ChadH360ChadH360
38413
From what I understand, you have two internet connections on the router - I assume for redundancy.
Can I assume that if Gi0/0/0 goes down, then Gi0/0 takes over your internet connection?
If that is the case, then the reason the PAT translation stops working is because the public IP address that is used by Gi0/0/0 for port 3389 is no longer available
Can you not just add a second line:
ip nat inside source static tcp 192.168.1.10 3389 y.y.y.y 3389 extendable
Where y.y.y.y is the IP address of your Gi0/0 interface.
If I've misunderstood, please describe the configuration in more detail, or better yet, post your config.
answered Apr 20 '15 at 13:10
ChadH360ChadH360
38413
answered Apr 20 '15 at 13:10
ChadH360ChadH360
38413
answered Apr 20 '15 at 13:10
ChadH360ChadH360
38413
answered Apr 20 '15 at 13:10
ChadH360ChadH360
38413
38413
That's correct, two internet connections for redundancy except our Gi0/0 is primary - so in the normal operating case where both connections are physically up, and the default gateway is the Primary Gi0/0, we cannot come in through the Backup Gi0/0/0 using the 3389 port forward. Doing a wireshark actually shows the packets hitting the destination server but what happens after that I'm guessing the router is sending return traffic out the default route instead of the WAN of the source of the traffic (which should be Gi0/0/0). Hope that clears it up a bit
– Antix
Apr 20 '15 at 13:18
Thanks. Can you clarify a bit further. Are both of these interfaces up at the same time, or does the backup kick in in the event of the primary failing. Do the two connections have different public IP addresses or is there a shared address space? Can you post a cleansed version of your config.
– ChadH360
Apr 20 '15 at 22:15
Not a problem, yes both interfaces are up at the same time and both have different public IP addresses. I have updated my question to include a shortened config. Also last night I confirmed that return traffic was indeed exiting the router out of Gig0/0 rather than Gig0/0/0, when I attempted to RDP to y.y.y.y:3389
– Antix
Apr 20 '15 at 23:46
Thanks for the additional info. This should be do-able with a route map. I can look into this for you tomorrow, but just don't have the time right now. However, one quick, dirty fix would be to assign a second internal IP address to the machine you are RDPing to, and then adjust your PAT for one of the interfaces to point to that address instead. That should cure your route issue. Like I say, a route map should do it, and that would be the preferred solution.
– ChadH360
Apr 21 '15 at 0:03
I've just taken another look at your config, and you are missing the 'extendable' keyword at the end of the static PAT entry. Extendable is required when using duplicate local or global addresses. With that correction, my original answer should then work.
– ChadH360
Apr 21 '15 at 7:27
|
show 1 more comment
That's correct, two internet connections for redundancy except our Gi0/0 is primary - so in the normal operating case where both connections are physically up, and the default gateway is the Primary Gi0/0, we cannot come in through the Backup Gi0/0/0 using the 3389 port forward. Doing a wireshark actually shows the packets hitting the destination server but what happens after that I'm guessing the router is sending return traffic out the default route instead of the WAN of the source of the traffic (which should be Gi0/0/0). Hope that clears it up a bit
– Antix
Apr 20 '15 at 13:18
Thanks. Can you clarify a bit further. Are both of these interfaces up at the same time, or does the backup kick in in the event of the primary failing. Do the two connections have different public IP addresses or is there a shared address space? Can you post a cleansed version of your config.
– ChadH360
Apr 20 '15 at 22:15
Not a problem, yes both interfaces are up at the same time and both have different public IP addresses. I have updated my question to include a shortened config. Also last night I confirmed that return traffic was indeed exiting the router out of Gig0/0 rather than Gig0/0/0, when I attempted to RDP to y.y.y.y:3389
– Antix
Apr 20 '15 at 23:46
Thanks for the additional info. This should be do-able with a route map. I can look into this for you tomorrow, but just don't have the time right now. However, one quick, dirty fix would be to assign a second internal IP address to the machine you are RDPing to, and then adjust your PAT for one of the interfaces to point to that address instead. That should cure your route issue. Like I say, a route map should do it, and that would be the preferred solution.
– ChadH360
Apr 21 '15 at 0:03
I've just taken another look at your config, and you are missing the 'extendable' keyword at the end of the static PAT entry. Extendable is required when using duplicate local or global addresses. With that correction, my original answer should then work.
– ChadH360
Apr 21 '15 at 7:27
That's correct, two internet connections for redundancy except our Gi0/0 is primary - so in the normal operating case where both connections are physically up, and the default gateway is the Primary Gi0/0, we cannot come in through the Backup Gi0/0/0 using the 3389 port forward. Doing a wireshark actually shows the packets hitting the destination server but what happens after that I'm guessing the router is sending return traffic out the default route instead of the WAN of the source of the traffic (which should be Gi0/0/0). Hope that clears it up a bit
– Antix
Apr 20 '15 at 13:18
That's correct, two internet connections for redundancy except our Gi0/0 is primary - so in the normal operating case where both connections are physically up, and the default gateway is the Primary Gi0/0, we cannot come in through the Backup Gi0/0/0 using the 3389 port forward. Doing a wireshark actually shows the packets hitting the destination server but what happens after that I'm guessing the router is sending return traffic out the default route instead of the WAN of the source of the traffic (which should be Gi0/0/0). Hope that clears it up a bit
– Antix
Apr 20 '15 at 13:18
Thanks. Can you clarify a bit further. Are both of these interfaces up at the same time, or does the backup kick in in the event of the primary failing. Do the two connections have different public IP addresses or is there a shared address space? Can you post a cleansed version of your config.
– ChadH360
Apr 20 '15 at 22:15
Thanks. Can you clarify a bit further. Are both of these interfaces up at the same time, or does the backup kick in in the event of the primary failing. Do the two connections have different public IP addresses or is there a shared address space? Can you post a cleansed version of your config.
– ChadH360
Apr 20 '15 at 22:15
Not a problem, yes both interfaces are up at the same time and both have different public IP addresses. I have updated my question to include a shortened config. Also last night I confirmed that return traffic was indeed exiting the router out of Gig0/0 rather than Gig0/0/0, when I attempted to RDP to y.y.y.y:3389
– Antix
Apr 20 '15 at 23:46
Not a problem, yes both interfaces are up at the same time and both have different public IP addresses. I have updated my question to include a shortened config. Also last night I confirmed that return traffic was indeed exiting the router out of Gig0/0 rather than Gig0/0/0, when I attempted to RDP to y.y.y.y:3389
– Antix
Apr 20 '15 at 23:46
Thanks for the additional info. This should be do-able with a route map. I can look into this for you tomorrow, but just don't have the time right now. However, one quick, dirty fix would be to assign a second internal IP address to the machine you are RDPing to, and then adjust your PAT for one of the interfaces to point to that address instead. That should cure your route issue. Like I say, a route map should do it, and that would be the preferred solution.
– ChadH360
Apr 21 '15 at 0:03
Thanks for the additional info. This should be do-able with a route map. I can look into this for you tomorrow, but just don't have the time right now. However, one quick, dirty fix would be to assign a second internal IP address to the machine you are RDPing to, and then adjust your PAT for one of the interfaces to point to that address instead. That should cure your route issue. Like I say, a route map should do it, and that would be the preferred solution.
– ChadH360
Apr 21 '15 at 0:03
I've just taken another look at your config, and you are missing the 'extendable' keyword at the end of the static PAT entry. Extendable is required when using duplicate local or global addresses. With that correction, my original answer should then work.
– ChadH360
Apr 21 '15 at 7:27
I've just taken another look at your config, and you are missing the 'extendable' keyword at the end of the static PAT entry. Extendable is required when using duplicate local or global addresses. With that correction, my original answer should then work.
– ChadH360
Apr 21 '15 at 7:27
|
show 1 more comment
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f684032%2fcisco-ios-multiple-wan-port-forwards-outside-inside-pat%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
